3

Let's say that I'm at Larry's Coffee Shop and they advertise that they have open WiFi. I open my laptop and find 2 open networks available, both called "Larry's Coffee". One of these is the authentic network, the other is run by a hacker.

If I run a VPN on my laptop, is there ANY benefit to connecting to to the authentic network vs. connecting to the hacker network?

My thoughts: If I connect to the hacker's network I guess he could throttle my speed or deny me access to the internet altogether. However, from a privacy / security point of view, are they the same? We can assume that whatever is on the other side of the VPN is trustworthy. (and yes, I realize that Larry's open network isn't too secure to begin with, but is better than one run by a hacker).

Sander Smith
  • 215
  • 1
  • 3
  • 1
    This might be helpful to you. You're not completely out of the weeds when connecting to a nefarious network. [are vpns vulnerable to active man in the middle attacks](http://security.stackexchange.com/questions/77241/are-vpns-vulnerable-to-active-man-in-the-middle-attacks) – Jack Bahou Feb 26 '16 at 02:46
  • If it's an open network, you can assume the attacker is controlling it anyway, in which case it does not matter. – multithr3at3d Feb 26 '16 at 05:33
  • 1
    It's equally safe if the VPN itself has good encryption and authentication AND you make sure no sensitive traffic goes out 'around' the VPN or before it is set up -- and today most computers have lots of features that 'phone home' whenever a network is connected, even a bad one; see http://security.stackexchange.com/questions/96321/public-ap-how-to-reduce-vulnerability-window-between-captive-portal-and-startin and http://security.stackexchange.com/questions/114762/can-an-open-wi-fi-hotspot-be-considered-secure-when-using-a-vpn-connection – dave_thompson_085 Feb 26 '16 at 08:12

2 Answers2

4

First you should make sure that the your VPN actually is a full VPN, i.e. includes DNS lookups, IPv6 etc and properly authenticates its peer. This is not the case with all software calling itself VPN. You also should be aware that depending on the quality of the implementation corrupted VPN packets might be used as an attack vector.

A major problem might be the captive portal which is often used in free WiFi networks. Such portals must be usually accessed first with a browser before you can even establish your VPN. If you do this with the normal browser the captive portal can be used to capture existing session cookies to other sites, inject stuff into the browser cache or attack you with a drive-by-download - and all of this before you even had a chance to create your VPN tunnel. This kind of risk can be reduced if you use a specifically designed minimal and fully sandboxed browser to deal with this portal.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • I think there also may be risks about non-browser services running in the background and accessing the net before VPN initialization. – Neil Smithline Feb 26 '16 at 14:47
  • Yet another risk is if your VPN drops you can end up switching over to unprotected communications without warning. – Peter Green Jul 29 '16 at 17:43
1

Not that I'm an expert on this stuff, but I can't think of anything all that dramatic unless the hacker happened to be the NSA and you a terrorist. Otherwise, the encryption provided should be fine.

EDIT: This all depends on you using an entirely secure VPN. It would be more prudent to connect to a (more) trusted network.

Stoud
  • 344
  • 1
  • 10